Yes - and we have a very small POC for EAS devices (we are still on e2k3). We are primarily a BB shop - this may change when we get to e2k7 or 10 or whatever when these devices are better controlled and provide at least some intranet access.
-----Original Message----- From: Peter Johnson [mailto:peter.john...@peterstow.com] Sent: Wednesday, July 22, 2009 1:08 PM To: MS-Exchange Admin Issues Subject: RE: OWA / SSL question How do u guys enforce it? Do u turn off active synch for anyone who doesn't have a corporate issued mobile phone? -----Original Message----- From: John Cook [mailto:john.c...@pfsf.org] Sent: 22 July 2009 21:09 To: MS-Exchange Admin Issues Subject: RE: OWA / SSL question +1 Keeps things nice and tidy. John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I, A+, N+, VSP4, VTSP4 -----Original Message----- From: Don Andrews [mailto:don.andr...@safeway.com] Sent: Wednesday, July 22, 2009 3:56 PM To: MS-Exchange Admin Issues Subject: RE: OWA / SSL question We have a nice EVP authored policy that says; <quote> {The company] maintains a policy that all individual communication services are owned by [the company] and are intended solely for business use. [The company] does not allow employee-owned communication devices or mobile numbers to become corporate devices. There will be no exceptions made to Corporate Ownership. <unquote> This has been tested several times and the same answer comes back - what part of no don't you understand? iPhones are not on the list of cell phone choices for company phones. Blackberries are but not including the storm. -----Original Message----- From: Kim Longenbaugh [mailto:k...@colonialsavings.com] Sent: Wednesday, July 22, 2009 10:40 AM To: MS-Exchange Admin Issues Subject: RE: OWA / SSL question We said "no", then our owner said "yes". We said "well, ok then" -----Original Message----- From: Don Andrews [mailto:don.andr...@safeway.com] Sent: Wednesday, July 22, 2009 12:34 PM To: MS-Exchange Admin Issues Subject: RE: OWA / SSL question One of the reasons many of us just say no to requests to connect iPhones to company email. -----Original Message----- From: Peter Johnson [mailto:peter.john...@peterstow.com] Sent: Wednesday, July 22, 2009 1:18 AM To: MS-Exchange Admin Issues Subject: RE: OWA / SSL question Thanks very much for the info Michael. That strikes me as a bit of a security risk though. -----Original Message----- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: 22 July 2009 04:19 To: MS-Exchange Admin Issues Subject: Re: OWA / SSL question Its true and not at the same time. Its true because no, you dont install a self-signed cert. Its false that the iPhone "works" with them, because it doesnt. It ignores the security condition. However, I believe you can put your own certs on an iPhone via the iPhone Configuration Utility. http://www.macworld.com/article/134381/2008/07/iphone_config_utility.htm l http://www.apple.com/support/iphone/enterprise/ -- ME2 On Tue, Jul 21, 2009 at 7:50 PM, Greg Wright<greg.wri...@wineselectors.com.au> wrote: > This is the best response I have read so far on this subject. Of importance > is the issue of mobile clients. Depending upon version, they vary from easy > to install an un-trusted Authorities certificate to being impossible to > install one. > > > > Jonathan Link said "#2 is not necessarily true. I did not install the > self-signed cert into my iPhone." > > > > I am not sure about this being true, and would like to hear from others. My > experience and opinion of others in my immediate vicinity who have set these > up indicate that Self-Signed SSL certificates do not work with iPhone (just > as with WinMobiles). Maybe you aren't using SSL in your OWA setup? > > > > From: Peter Johnson [mailto:peter.john...@peterstow.com] > Sent: Wednesday, 22 July 2009 2:28 AM > To: MS-Exchange Admin Issues > Subject: RE: OWA / SSL question > > > > With regards to this issue I believe the following is true with a self > signed certificate > > > > 1.) On the browsers the users would have to agree to continue to the site > everytime until they add the certificate to the machine. This is a pain > particularly with mobile users and OWA access from ad-hoc computers such as > Internet Kiosks etc. > > 2.) Mobile phones using activesync will not work until the self signed > cert is installed onto the device. This becomes an admin overhead. > > > > The worst case is if you have to rebuild the server in disaster recovery u > generate a new certificate and the entire cycle starts all over again. I've > been through this and it's not fun!! > > > > With regards to certificates I've used Digicert a few times and always had > good results particularly with SAN certificates which you will need for > Exchange 2007 going forward. > > > > Regards > > Peter Johnson > > > > > > > > > > From: Joe Heaton [mailto:jhea...@etp.ca.gov] > Sent: 21 July 2009 16:46 > To: MS-Exchange Admin Issues > Subject: RE: OWA / SSL question > > > > I know about GoDaddy, and recommend it every time any of our 4 SSL certs > come up for renewal. But the manager wants to stay with the "industry > standard" Verisign. I'm the kind of guy that buys the Shasta colas, or the > Sam's colas, because it's pretty much the same thing at half the price. > > > > I have also looked at generating our own cert, which really makes sense for > this purpose, as it's only internal users that will be accessing OWA. What > could they face from home, if I use a homemade cert? Are there browser > issues, with certain browsers not liking homemade certs? > > > > Joe Heaton > > Employment Training Panel > > > > From: David Mazzaccaro [mailto:david.mazzacc...@hudsonhhc.com] > Sent: Tuesday, July 21, 2009 8:42 AM > To: MS-Exchange Admin Issues > Subject: RE: OWA / SSL question > > > > If your cert expires, users will have to either configure their browsers to > allow them to go the site, or click through warning/error messages to get > there. > > I would believe depending on your mobile phone setup those users will have > similar problems. > > Have you looked into generating your own internal certificate? > > > > CHEAP: I got 3 year SSL Cert for OWA from GoDaddy.com for $67.47 > > > > > > ________________________________ > > From: Joe Heaton [mailto:jhea...@etp.ca.gov] > Sent: Tuesday, July 21, 2009 11:27 AM > To: MS-Exchange Admin Issues > Subject: OWA / SSL question > > Guys, > > > > Due to the budget issues here in California, my agency is down to the wire > with renewing our SSL cert for Exchange. I've already told my manager that > we can easily go with one of the cheaper alternatives, and have the same > security, but she's really wanting to stick with Verisign. Due to this, our > SSL cert may end up expiring. I've told her that the impact would be that I > would have to turn off OWA. In addition, wouldn't our phones be affected? > We're using Activesync on our Windows Mobile devices, and requiring the SSL > connection. Would we be able to make a secure SSL connection without the > cert? I'm thinking this is possibly a stupid question, but my brain is > really fuzzy this morning. > > > > Joe Heaton > > AISA > > Employment Training Panel > > 1100 J Street, 4th Floor > > Sacramento, CA 95814 > > (916) 327-5276 > > jhea...@etp.ca.gov > > CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to.
